W32/Forbot-BP

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Forbot-BP.

W32/Forbot-BP is a network worm which attempts to spread via network shares. The worm contains backdoor Trojan functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background. W32/Forbot-BP is a network worm which attempts to spread via network shares. The worm contains backdoor Trojan functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.

When run W32/Forbot-BP moves itself to the Windows System folder as crsrs.exe and creates the following registry entries so as to run itself either on user logon or computer restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Auto updat = crsrs.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Auto updat = crsrs.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Auto updat = crsrs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Auto updat = crsrs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Auto updat = crsrs.exe

Once installed, W32/Forbot-BP will attempt to perform the following actions when instructed to do so by a remote attacker:

- setup a SOCKS4 proxy
- setup a HTTP proxy
- delete network shares
- partake in denial of service (DDOS) attacks
- port scan IP addresses
- download and run files from the Internet
- steal CD keys

The worm will also create the following registry entries:-

HKLM\SYSTEM\CurrentControlSet\Services\crcss.exe\

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CRCSS.EXE\

W32/Forbot-BP also creates its own service named "crcss.exe", with the display name "Auto updat".

W32/Forbot-BP can spread to unpatched machines affected by the LSASS vulnerability (MS04-011).